SAML examples

AuthnRequest

To initiate an authentication process, you send an AuthnRequest to Signicat.

AuthnRequest basic example

This example contains a basic SAML AuthnRequest. You can always add additional information in the request, but the bare minimum request can look like:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
                     Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login" ForceAuthn="true"
                     ID="_b6a016332e19a825bb42917c9870c93a" IssueInstant="2021-03-09T10:26:17.210Z"
                     Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ENTITY_ID
    </saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
</saml2p:AuthnRequest>

AuthnRequest example with language

The following example shows how to specify the language as an attribute:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
                     Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login" ForceAuthn="true"
                     ID="_b6a016332e19a825bb42917c9870c93a" IssueInstant="2021-03-09T10:26:17.210Z"
                     Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ENTITY_ID
    </saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
    <saml2p:Extensions xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <req-attr:RequestedAttributes xmlns:req-attr="urn:oasis:names:tc:SAML:protocol:ext:req-attr">
            <md:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Name="signicat:param:language" isRequired="true">
                <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                      xsi:type="xsd:string">no</saml2:AttributeValue>
            </md:RequestedAttribute>
        </req-attr:RequestedAttributes>
    </saml2p:Extensions>
</saml2p:AuthnRequest>

AuthnRequest example REDIRECT binding with prefilled attributes

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
                     Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login" ForceAuthn="true"
                     ID="_b6a016332e19a825bb42917c9870c93a" IssueInstant="2021-03-09T10:26:17.210Z"
                     Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ENTITY_ID
    </saml2:Issuer>
    <samlp:Extensions>
        <req-attr:RequestedAttributes>
            <md:RequestedAttribute isRequired="true"
                                   Name="firstName"/>
            ...
            <md:RequestedAttribute Name="signicat:prefilled:email">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">subject@example.com</saml:AttributeValue>
            </md:RequestedAttribute>
            <md:RequestedAttribute isRequired="false"
                                   Name="signicat:prefilled:mobile">
                                   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">1234567890</saml:AttributeValue>
            </md:RequestedAttribute>
        </req-attr:RequestedAttributes>
    </samlp:Extensions>
</saml2p:AuthnRequest>

AuthnRequest with IdP scoping

IdP scoping allows you to define which eIDs to make available for authentication to your users. To use IdP scoping with SAML 2.0, specify the eIDs in the ProviderID of the IDPEntry field, as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AttributeConsumingServiceIndex="1"
Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login" ForceAuthn="false"
ID="_aeaf5a7ddbc280bde07a1024f0574b70" IssueInstant="2021-03-09T10:47:58.502Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        ENTITY_ID
    </saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
    <saml2p:Scoping>
        <saml2p:IDPList>
            <saml2p:IDPEntry ProviderID="ftn"/>
        </saml2p:IDPList>
    </saml2p:Scoping>
</saml2p:AuthnRequest>

To learn more about this feature, see the IdP scoping documentation.

AuthnRequest with RequestedAuthnContext and with REDIRECT binding

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    AssertionConsumerServiceURL="https://*SP_CLIENT_DOMAIN*/saml/acs"
                    AttributeConsumingServiceIndex="0" Destination="https://*YOUR_SIGNICAT_DOMAIN*/auth/saml/login"
                    ForceAuthn="true" ID="_7457921E6AA91C24CC1FEDBFBF763618" IsPassive="false"
                    IssueInstant="2021-03-09T10:53:19Z" Version="2.0"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>ENTITY_ID</saml:Issuer>
    <samlp:RequestedAuthnContext Comparison="minimum">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

AuthnResponse

At the end of an authentication flow, the identity provider sends a SAML AuthnResponse to the service provider. In this case, Signicat sends you an AuthnResponse at the end of an end-user authentication flow. If the end-user authentication is successful, the response contains the Assertion with the NameID and attributes of the end-user.

AuthnResponse example with DigiD

Example of a SAML response after end-user login with DigiD:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://*SP_CLIENT_DOMAIN*/saml/acs" ID="_04ace7e4085e09ac84e6b99be926c5ac" InResponseTo="_5cd72f201985cf4261e0224ac32638e2" IssueInstant="2023-12-12T16:27:06.399Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    ...
  </ds:Signature>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ab99d298dc73af395150d8367bf8bcd" IssueInstant="2023-12-12T16:27:06.424Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer>https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      ...
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://was-preprod1.digid.nl/saml/idp/metadata">n8ek7xaPjR6XOGseV-NI9MJvLH6Zf2ciWC0gSEuLo5A=</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData InResponseTo="_5cd72f201985cf4261e0224ac32638e2" NotOnOrAfter="2023-12-12T16:29:06.424Z" Recipient="https://*SP_CLIENT_DOMAIN*/saml/acs"/>
      </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2023-12-12T16:27:01.424Z" NotOnOrAfter="2023-12-12T16:29:06.424Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>ENTITY_ID</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="nin">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">900234854</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="nin.issuingCountry">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">NL</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="nin.type">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">PERSON</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
    <saml2:AuthnStatement AuthnInstant="2023-12-12T16:27:06.425Z" SessionIndex="a749063e-b11a-4e2b-beee-927a9f132446">
      <saml2:AuthnContext>
        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        <saml2:AuthenticatingAuthority>https://was-preprod1.digid.nl/saml/idp/metadata</saml2:AuthenticatingAuthority>
      </saml2:AuthnContext>
    </saml2:AuthnStatement>
  </saml2:Assertion>
</saml2p:Response>

AuthnResponse example with eHerkenning

Example AuthnResponse after end-user login with eHerkenning:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://*SP_CLIENT_DOMAIN*/saml/acs" ID="_8ecbe9dcd8c6e4765d5b6bd9cf5f2010" InResponseTo="_6dee7048f7b558987b5d9900e1b20832" IssueInstant="2023-12-11T12:35:48.235Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_03c096c04b157811ec2af48c91e4d618" IssueInstant="2023-12-11T12:35:48.263Z" Version="2.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <saml2:Issuer>https://*YOUR_SIGNICAT_DOMAIN*/auth/saml</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            XML_SIGNATURE
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="urn:etoegang:HM:00000003244440010000:entities:9713">k5QDBPNavooSgsxQNCITxSnQc5oo37cqev726-Iz1-Y=</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_6dee7048f7b558987b5d9900e1b20832" NotOnOrAfter="2023-12-11T12:37:48.263Z" Recipient="https://*SP_CLIENT_DOMAIN*/saml/acs"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2023-12-11T12:35:43.263Z" NotOnOrAfter="2023-12-11T12:37:48.263Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>ENTITY_ID</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="name">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Gerarda Josephina Kierkegaard</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="firstName">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Gerarda Josephina</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="lastName">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Kierkegaard</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="email">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">email@example.com</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="pseudo">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">03659FB1FAE5D26DB2D28866C1A4FE7F4E1CD5E62DD2552EE3D3B11D4C27163D@9162F54B3B07284AC4E147A849DEAEE4</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="kvkNr">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">24444001</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="rsin">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">819935177</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="serviceID">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">urn:etoegang:DV:00000003244440010000:services:9121</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="serviceUUID">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">cf1c1457-cc97-4b47-a324-25d1a97db3cb</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="intermediateKvkNr">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">24444002</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="companyName">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Signicat</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="intermediateCompanyName">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Intermediary</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2023-12-11T12:35:48.264Z" SessionIndex="14779d0d-08bb-4929-95a2-499363b122f7">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
                <saml2:AuthenticatingAuthority>urn:etoegang:HM:00000003244440010000:entities:9713</saml2:AuthenticatingAuthority>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

Learn more

Set up a SAML connection

Exchange metadata to set up a SAML connection

Requested Attributes

Learn about SAML Requested Attributes

AuthnRequest​

AuthnRequest basic example​

AuthnRequest example with language​

AuthnRequest example REDIRECT binding with prefilled attributes​

AuthnRequest with IdP scoping​

AuthnRequest with RequestedAuthnContext and with REDIRECT binding​

AuthnResponse​

AuthnResponse example with DigiD​

AuthnResponse example with eHerkenning​

Learn more​